Question
We have a development team that needs to temporarily disable certain web security settings in order to load resources over HTTP from an app loaded via HTTPS. The app is defined in a REST app store with the following configuration:
"details": {
...
"security": {
"webSecurity": false,
"allowRunningInsecureContent": true
}
}
We can confirm that the REST app store returns the app definition with webSecurity: false and allowRunningInsecureContent: true, and that the same configuration is cached on disk by io.Connect Desktop.
However, when we start the app programmatically and then inspect the configuration:
const appDefinitions = await g.appManager.getConfigurations([appName]);
or check the desktop logs, we see that the platform has flipped the security settings back to their defaults, for example:
"security": {
"webSecurity": true,
"allowRunningInsecureContent": false
...
}
Why are these settings being ignored, and how can we allow the app definition’s security settings from the REST store to take effect?
Answer
When using a REST app store that, io.Connect Desktop applies a security model where the platform-level security configuration can override certain security-related fields from app definitions, even if the REST app store manifest explicitly set them to less strict values.
This behavior was intentional as part of the security guarantees around app directory support. However, it created a real need for some deployments to opt out of this behavior for trusted internal app stores.
Resolution: use a trusted REST app store (io.Connect Desktop ≥ 9.10.1.2)
Starting with io.Connect Desktop 9.10.1, a new trusted property was introduced for app store configurations:
If
true, the app store will be trusted by the platform and the security settings specified in the app definitions won’t be overridden by the security settings in the system configuration.
To allow your REST app store’s app definitions to control the security settings:
- Upgrade to a version that includes trusted app stores support:
- io.Connect Desktop / Interop 9.10.1 or later
- Set the REST app store as trusted in
system.json:
{
"appStores": [
{
"type": "path",
"details": {
"path": "./config/apps",
// The app store will be considered trusted by the platform and any security settings
// you may have specified in FDC3 app definitions won't be automatically overridden.
"trusted": true
}
}
]
}
- The platform treats that app store as a trusted source
- The security block from the app definition is respected and no longer overridden by the platform defaults
- Tests like
await fetch("http://example.com")from an HTTPS app will behave according to the app’s ownsecurityconfiguration
Disabling
webSecurityor enablingallowRunningInsecureContentreduces browser security and can expose users to mixed-content and man-in-the-middle risks. Use these settings only when absolutely necessary and preferably only in controlled development environments.
Docs: Check the 9.10.1 changelog (“Trusted app stores”):
io.Connect Desktop Documentation - Changelog > io.Connect Desktop 9.10.1